You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by da...@apache.org on 2023/01/09 13:03:39 UTC

[cloudstack] branch ldapInjection created (now 9b022358cd)

This is an automated email from the ASF dual-hosted git repository.

dahn pushed a change to branch ldapInjection
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


      at 9b022358cd escapes for injection prtection

This branch includes the following new commits:

     new 9b022358cd escapes for injection prtection

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[cloudstack] 01/01: escapes for injection prtection

Posted by da...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

dahn pushed a commit to branch ldapInjection
in repository https://gitbox.apache.org/repos/asf/cloudstack.git

commit 9b022358cd9002b635fc9ca5502e4aa0a33a3fe8
Author: Daan Hoogland <da...@onecht.net>
AuthorDate: Mon Jan 9 11:08:06 2023 +0100

    escapes for injection prtection
---
 .../java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
index 5fe27e50d4..07d896a2c8 100644
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/OpenLdapUserManagerImpl.java
@@ -83,7 +83,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         usernameFilter.append("(");
         usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
         usernameFilter.append("=");
-        usernameFilter.append((username == null ? "*" : username));
+        usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
         usernameFilter.append(")");
 
         String memberOfAttribute = _ldapConfiguration.getUserMemberOfAttribute(domainId);
@@ -154,7 +154,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         groupNameFilter.append("(");
         groupNameFilter.append(_ldapConfiguration.getCommonNameAttribute());
         groupNameFilter.append("=");
-        groupNameFilter.append((groupName == null ? "*" : groupName));
+        groupNameFilter.append((groupName == null ? "*" : LdapUtils.escapeLDAPSearchFilter(groupName)));
         groupNameFilter.append(")");
 
         final StringBuilder result = new StringBuilder();
@@ -194,7 +194,7 @@ public class OpenLdapUserManagerImpl implements LdapUserManager {
         usernameFilter.append("(");
         usernameFilter.append(_ldapConfiguration.getUsernameAttribute(domainId));
         usernameFilter.append("=");
-        usernameFilter.append((username == null ? "*" : username));
+        usernameFilter.append((username == null ? "*" : LdapUtils.escapeLDAPSearchFilter(username)));
         usernameFilter.append(")");
 
         final StringBuilder memberOfFilter = new StringBuilder();